[DEFAULT]
# Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption
watch_while = 3602
# Max tries before being banned
maxtries = 3
# pf table to keep bad IP.
# remember to clean the table with this command in a cron job :
#     /sbin/pfctl -t vilain_bruteforce -T expire 86400
vilain_table = vilain_bruteforce

# vilain log file
vilain_log = /var/log/daemon

# duration before each checks on the different log files
sleeptime = 3.0

### Ip ignored ###
[ignoreip]
ip1 = 127.0.0.1

### Guardians
#[name of the guardian]
#logfile = /file/to/watch
#regex = regex that return the bad guy IP
#maxtries = 2 #facultative

[sshfail]
logfile = /var/log/authlog
regex = .* Failed .* from ([\S]+) .*

[sshrootauth]
logfile = /var/log/authlog
regex = .* Disconnected from authenticating user root ([\S]+) .*
maxtries = 1

[sshinvaliduser]
logfile = /var/log/authlog
regex = .* Invalid user \w+ from ([\S]+) .*
maxtries = 1

[sshroot]
logfile = /var/log/authlog
regex = .* Failed .* for root from ([\S]+) .*
maxtries = 1

[sshbadprotocol]
logfile = /var/log/authlog
regex = .*Bad protocol version identification .* from ([\S]+) .*

#[http404]
#logfile = /var/www/logs/access.log
#regex = (?:\S+\s){1}(\S+).*\s404\s.*

[http401]
logfile = /var/www/logs/access.log
regex = (?:\S+\s){1}(\S+).*\s401\s.*

[http403]
logfile = /var/www/logs/access.log
regex = (?:\S+\s){1}(\S+).*\s403\s.*

[smtp]
logfile = /var/log/maillog
regex = .* failed-command address=([\S]+) .* result=\"535 Authentication failed\"
maxtries = 2

[dovecot]
logfile = /var/log/maillog
regex = .*auth failed.*rip=([\S]+),.*
maxtries = 2

[dovecot2]
logfile = /var/log/maillog
regex = .*no auth attempts in.*rip=([\S]+),.*failed.*
maxtries = 2

[wordpress]
# don't use if you have wordpress
logfile = /var/www/logs/access.log
regex = (?:\S+\s){1}(\S+).*wp-login.php.*
maxtries = 1

# Nextcloud: login page
# Nextcloud 12 brings protection against brute-force attacks
# but 1/ not yet tested so far 2/ system protection is probably more efficient
[nextcloud]
logfile = /var/www/htdocs/datacloud/nextcloud.log
regex = .*Bruteforce attempt from \\"(.*)\\" detected

# Nextcloud: public shares protected by password
# regex is compliant with NginX log format:
#     /etc/nginx/nginx.conf:
#        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
#                        '$status $body_bytes_sent "$http_referer" '
#                        '"$http_user_agent" "$http_x_forwarded_for"';
[nextcloud-share]
logfile = /var/www/logs/access-nextcloud.log
regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200